From 040955fb39f8df183adda6fa19761a1ede36f624 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 13 Jun 2022 11:30:46 +0200
Subject: [PATCH] BUG/MEDIUM: mux-quic: fix segfault on flow-control frame
 cleanup

LIST_ELEM macro was incorrectly used in the loop when purging
flow-control frames from qcc.lfctl.frms on MUX release. This caused a
segfault in qc_release() due to an invalid quic_frame pointer instance.

The occurence of this bug seems fairly rare. To happen, some
flow-control frames must have been allocated but not yet sent just as
the MUX release is triggered.

I did not find a reproducer scenario. Instead, I artificially triggered
it by inserting a quic_frame in qcc.lfctl.frms just before purging it in
qc_release() using the following snippet.

        struct quic_frame *frm;
        frm = pool_zalloc(pool_head_quic_frame);
        LIST_INIT(&frm->reflist);
        frm->type = QUIC_FT_MAX_DATA;
        frm->max_data.max_data = 0;
        LIST_APPEND(&qcc->lfctl.frms, &frm->list);

This should fix github issue #1747.

This must be backported up to 2.6.
---
 src/mux_quic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/mux_quic.c b/src/mux_quic.c
index 0b65b8f2c..9449b86fe 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -752,7 +752,7 @@ static void qc_release(struct qcc *qcc)
 	}
 
 	while (!LIST_ISEMPTY(&qcc->lfctl.frms)) {
-		struct quic_frame *frm = LIST_ELEM(&qcc->lfctl.frms, struct quic_frame *, list);
+		struct quic_frame *frm = LIST_ELEM(qcc->lfctl.frms.n, struct quic_frame *, list);
 		LIST_DELETE(&frm->list);
 		pool_free(pool_head_quic_frame, frm);
 	}